It is recognized that Safety Instrumented Systems (SIS) are used to provide protection of hazardous industrial processes. SIS failure could have an impact on the safety of the persons and/or the environment and/or serious economic implications. The basic functional safety standard IEC 61508 provides a framework where the required safety performance of the SIS is dependent on the required risk reduction calculated on a basis of the risk posed by the process conditions and the tolerable risk level which needs to be achieved.

1. What input is needed for the SIS design?

To start any SIS design, we first need to have functional and safety performance (safety integrity) requirements for the design available. A document which serves for this purpose is the ‘Safety Requirements Specification’ (SRS). The SRS provides functional requirements for Safety Instrumented Functions (SIF) and their associated safety integrity levels. The document describes all SIF’s, indicates the required response time for each SIF, required proof test interval, resetting requirements, requirements for bypassing, the required response on SIF failure and much more.

We also need to have requirements and documentation available for the Application Program to be implemented in the SIS. Application Program safety requirements are derived from the SRS and chosen SIS architecture. This documentation specifies the requirements for real time performance parameters of the logic solver, program sequencing and time delays, equipment and operator interfaces, action to be taken on bad process variable, functions enabling proof testing and diagnostic testing of external devices and other software requirements.

The most important requirement for the design is that the SIS constituting parts shall correctly perform their functions. So, for example the selected sensor measurement method shall be proven for the application. Wetted parts shall be selected on positive experience with the medium they contact. The same applies for the SIF final element subsystem. The designer shall consider which type of valve shall be selected for the specific application e.g. ball valve instead of a gate valve, soft seal versus metal seal etc. In other words, a SIS designer should consider if the selected devices and intended functionality are inherently safe.

The SIS designer should consider if the proposed system is safe in use i.e. how it behaves in case of operator or maintenance error or lack of high competency or experience i.e. we should avoid a situation where a device is safe only when it is operated by a highly competent person. Human Factor implications need to be widely considered.

The SIS designer shall also account for the fact that integration, manufacturing, commissioning, operation & maintenance might not be perfect or that process dynamics, medium composition or equipment/device characteristics might not be fully compliant with the requirements specification. For example, the omission or misinterpretation of requirements in service documentation for a detected fault may not be followed by timely repair. In some cases, device life time due to imperfect maintenance or process medium composition might be shortened considerably.

All of the above might be summarized as competency requirements however it goes beyond the functional safety scope.

3. What are the basic safety integrity requirements for the design phase?

There are three basic safety integrity requirements for the design phase, all aimed at ensuring that the system shall be sufficiently robust to hardware random failures and systematic/human faults. The safety standards require SIS designers to consider:

2. The SIS complies with the minimum hardware fault tolerance requirements specified in the standards.

3. The SIS is sufficiently robust to systematic faults i.e. human faults which can be made during the device manufacturing process and safety system design & integration phase. Techniques and measures for avoidance and control of systematic faults are particularly important for programmable devices and application programs development processes.

5. The required response of the SIS and system operator on detection of a fault shall be defined so that design and relevant procedures are prepared to meet the requirements as specified in the safety standards.

5. Why do operation and maintenance requirements and constraints need to be addressed in the design phase?

The SIS designer will need to consider if the system is to be designed with full consideration for the existing Asset Owner operation and maintenance (O&M) regime and that the requirements specified during the design phase for O&M are feasible and practicable. For example, we may find that a SIS designer has assumed an ESD valve will be tested at one year intervals; however, this requirement has not been agreed with the plant operator in advance on how often the valve can be tested, as practicably this will require a plant shut down. Similarly, sometimes 100% valve proof test effectiveness is assumed by the SIS designer. However, in reality, there is very limited access to the device location for such maintenance work and so this is not possible or difficult to achieve and the only test which can be performed is a full stroke test once every 4 years. So, achieving less than 60 % effectiveness for this device.

Overly optimistic assumptions result in the system being under designed which yields to unsafe process application.

ABB is the global leader for in-country TUV certified FSM processes for the design, engineering and service of SIS in accordance with IEC 61508/IEC 61511. We assist our customers with FSM development & gap assessment, SRS development, safety device selection and SIL Verification services. We also provide independent FS Audits and Assessments for any safety lifecycle stage. We provide a range of functional safety training courses covering all aspects of the Safety Lifecyle from initial hazard and risk assessment to asset decommissioning.